Monster Breach Shows New Security Ideas Needed

Is corporate security fighting yesterday's war with last decade's weapons?

For some security experts, the recent data breach at job site Monster.com comes as no surprise, and they say enterprises need to re-think their approach to security.

"When most organizations talk about security, they're talking about network security, which is five years out of date," Brian Contos, chief security strategist at database and Web application security vendor Imperva told InternetNews.com. "Attackers are focusing on data, not the technology."

Enterprises need to change their approach to security, Contos said. Hackers are moving away from exploiting vulnerabilities that can be blocked by a network firewall or that can be detected by an intrusion prevention system to attacking the data itself through social engineering, he said.

Most existing protection systems work by preventing access to enterprise infrastructure or databases. For example, one of the requirements of the PCI Data Security Standard is that merchants taking debit and credit cards install Web application firewalls in front of customer facing applications to keep hackers out.

That is not enough, Contos said. "You now need to look at how people are interacting with the data, how much data was downloaded over a period of time, what time of day they accessed the data, whether it's anomalistic," he explained. "You need prevention, detection and rapid response capabilities because ultimately you need to respond."

Whether or not Monster.com's parent company Monster Worldwide (NASDAQ: MNST) was aware that some accounts had been phished remains unknown, as Nikki Richardson, its senior vice president of corporate communications, declined to discuss that issue with InternetNews.com because the breach is under investigation.

But, as the latest breach shows, its security was not up to scratch, although it had previously been hacked just this past August. In that earlier breach, confidential information about 1.3 million users was stolen.

Lightning does strike twice

In the latest breach, user IDs and passwords for the site were stolen. The hackers also obtained users' date of birth information, gender, ethnicity and, in some cases in the U.S. only, the state of residence, Richardson said.

While users' social security numbers and personal financial data were not available, because Monster.com does not take that data, the thieves have more than enough information to clearly identify anyone whose data was stolen.